IDS mailing list archives
RE: need your help,thanks
From: "Hayden Searle" <hayden.searle () safecom co nz>
Date: Mon, 30 Aug 2004 03:30:47 +1200
My experience has been with the ISS products and this has a database backend and can produce reports to help you find out what is 'normal' for your environment, and it also correlates like attacks, and has the ability to check the incoming attacks against known hosts (targets). If the "Security Fusion" module is installed, it can tell you if the targeted host is vulnerable to the attack. False positives take a long time to tune out of your system, and you can never fully get rid of them, as new signatures come out all the time. IDS's while good to help with your perimeter security are a job in themselves, if you want to ensure good effective network security principles, and accuracy of the alerts. Hayden Searle -----Original Message----- From: Charles Heselton [mailto:charles.heselton () gmail com] Sent: Wednesday, 25 August 2004 2:42 p.m. To: Lily Cc: focus-ids () securityfocus com Subject: Re: need your help,thanks On Sun, 22 Aug 2004 13:37:22 +0800, Lily <xiaoche111 () hotmail com> wrote:
hi,all I am a youngling in IDS.I read some papers in network this days and
the more I read the little I understand.Because there are so many researching area in IDS and I dont know what I'll do.There are some questions below: Keep reading. ;)
1.If the false alarm rates have being resloved now?I think its a
essential premise of the area of "response mechanism of IDS" that I want to research,do you think so? False alarms depend upon the accuracy of your signatures, and the peculiarity of your traffic. If the traffic in your environment is out of RFC standard, but is considered "normal" for your environment, it could produce a lot of false positives, especially with an anomaly based IDS. I think that this is something that IDS will always have to deal with. You can never have *perfect* detection.
2.Has someone firsthand used a data mining tool just like C5 to
reduce some data and make a conclusion about anomaly detection?Do you think it is advisable?
Could you please help me?Thank you in advance.
I haven't used C5, but my organization has attempted to use an Oracle database for such a purpose. There are products out there which are supposed to do this sort of correlation for you. I know of Symantec's CyberWolf, and I've been told (:-?) that NetIQ does this sort of thing, though I have yet to see it. I'm sure there are others as well. Anyhow, the key to making a database type situation work is being able to rule out possibly anomalous traffic based on historical data. Then feed this info back into the IDS. I'm not familiar with any IDS that has this capability (yet).
Regards Lily
-- Charlie Heselton Network Security Engineer ##################################################################################### Important: This electronic message and attachments (if any) are confidential and may be legally privileged. If you are not the intended recipient do not copy, disclose or use the contents in any way. Please let us know by return e-mail immediately and then destroy this message. #####################################################################################
Current thread:
- need your help,thanks Lily (Aug 22)
- Re: need your help,thanks Charles Heselton (Aug 29)
- Re: need your help,thanks Jose Maria Lopez (Aug 30)
- <Possible follow-ups>
- RE: need your help,thanks Hayden Searle (Aug 30)
- Re: need your help,thanks Charles Heselton (Aug 29)